Analysis of Bionet 4.01

Synopsis

The latest version of the BioNet trojan is now floating around the Internet, available to would-be hackers for beta testing. The author of the trojan, Rezmond, has been working on this trojan for quite some time now, and this analysis is intended to evaluate the threat and explain the workings of the latest version of this trojan.

New Features

The release notes for the trojan list several new features, notably an almost total rewrite of the old code, a new and faster communications engine, an extended file manager and full compatibility with Windows 9x, ME, 2000 and XP. Unfortunately, the only people who will be able to take advantage of these new features are those who use trojans to steal and destroy data or wreak havoc in any of the other endless ways possible with trojans.

Server Editor

The trojan comes with a server editor that allows hackers and script kiddies to customize the trojan server. Notable features of the server editor is the ability to customize the trojan with scripts that are executed on a specific date and time, or even at regular intervals, once the trojan server compromises a machine. The trojan also has the ability to terminate security software, but this is nothing new as the feature was also available in the previous version of BioNet.

The trojan server contains a built-in IRC bot. IRC is a text-based chat system where users connect to IRC servers to talk with other people around the world in real-time. The trojan contains an automated IRC "bot", which can be controlled by a hacker or script kiddie via IRC. This means that if someone compromises your machine with BioNet 4, he can then access it via any computer on the planet, provided there's Internet access and an IRC client. The server can be configured to display a fake error message when started, giving a user the impression that perhaps something went wrong with the file he downloaded or that the program might be buggy. This is of course just a trick to take the user's mind off the fact that he could have started a trojan. The default error message is "Memory Read Address FF00121 This application has caused an ilegal[sic] operation!"

Trojan Client

The client part of the trojan allows gives a remote adversary a frightening amount of control over a compromised computer. Using the file manager, files can be uploaded, downloaded, renamed and deleted. Other parts of the client allow for the terminating of any running application or process, viewing of the clipboard and registry editing. If the compromised computer has a web camera installed, an adversary can remotely view anything the camera sees. If a microphone is installed, remote eavesdropping becomes possible. BioNet's keylogger allows an adversary to view any key typed on the computer, including passwords for online banking and other sensitive information. In short, this is not a trojan you will want to become compromised by.

Conclusion

The latest version of the BioNet trojan has evolved into an even bigger threat than previous versions, and will no doubt be widely spread and used once the final release is available. Users should not run any files they are not certain are legitimate, and should also make sure they have security software that can detect and remove the trojan. TrojanHunter is able to do this, a trial version can be downloaded here. If you have any additional questions about this trojan, don't hesitate to ask them in the forum, in the board entitled "Trojans".